Nmap - Network Mapper

Nmap - Network Mapper

Nmap (Network Mapper) is a security scanner used to discover hosts and services on a computer network. Nmap sends specially crafted packets to the target host and then analyzes the responses. Unlike many simple port scanners that just send packets at some predefined constant rate, nmap accounts for the network conditions (latency fluctuations, network congestion, the target interference with the scan) during the run. Nmap has succeeded to extend its discovery capabilities beyond basic host being up and down or port being open/closed to being able to determine operating system of the target, names and versions of the listening services, estimate uptime, the type of device, presence of the firewall. Nmap runs on Linux, Microsoft Windows, Solaris, HP-UX and BSD variants (including Mac OS X), and also on AmigaOS and SGI IRIX.

For regular updates about network security testing and the usage of security testing software (with video and downloads) you can visit Barb13 Unsecured blogspot.

In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).
Nmap 5.50. A primary focus of this release is the Nmap Scripting Engine (NSE) which has allowed Nmap to expand up the protocol stack and take network discovery to the next level. Nmap 5.50 includes 177 NSE scripts, 2982 OS fingerprints, and 7319 version detection signatures. Release focuses were the Nmap Scripting Engine performance Zenmap GUI and the Nping packet analysis tool. Nmap can now query all sorts of application protocols, including web servers, databases, DNS servers, FTP and now even Gopher server.
For more information about Nmap Script Engine (NSE) here

Nmap features include:
- Host Discovery - Identifying hosts on a network, for example listing the hosts which respond to pings, or   which have a particular port open
- Port Scanning - Enumerating the open ports on one or more target hosts
- Version Detection - Interrogating listening network services listening on remote devices to determine the   application name and version number
- OS Detection - Remotely determining the operating system and some hardware characteristics of network   devices
- Scriptable interaction with the target - using Nmap Scripting Engine (NSE) and Lua programming language   customized queries can be madeNmap Scripting Engine
In addition to these Nmap can provide further information on targets, including reverse DNS names, device types, and MAC addresses.
Typical uses of Nmap:
- Auditing the security of a device, by identifying the network connections which can be made to it
- Identifying open ports on a target host in preparation for auditing
- Network inventory, Network mapping, maintenance, and asset management

SYNTAX
nmap [Scan Type(s)] [Options] {target specification}

TARGET SPECIFICATION:
-iL Input from list of hosts/networks
-iR Choose random targets
--exclude host1[,host2][,host3] Exclude hosts/networks
--excludefile Exclude list from file

HOST DISCOVERY:
-sL List Scan - simply list targets to scan
-sP Ping Scan - go no further than determining if host is online
-P0 Treat all hosts as online -- skip host discovery
-PS/PA/PU [portlist] TCP SYN/ACK or UDP discovery to given ports
-PE/PP/PM ICMP echo, timestamp, and netmask request discovery probes
-n/-R Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers serv1[,serv2] Specify custom DNS servers
--system-dns Use OS's DNS resolver

SCAN TECHNIQUES:
-sS/sT/sA/sW/sM TCP SYN/Connect()/ACK/Window/Maimon scans
--scanflags Customize TCP scan flags
-sI Idlescan
-sO IP protocol scan
-b FTP bounce scan

PORT SPECIFICATION AND SCAN ORDER:
-p Only scan specified ports Ex: -p22; -p1-65535; -pU:53, 111, 137
-F Fast - Scan only the ports listed in the nmap-services file)
-r Scan ports consecutively - don't randomize

SERVICE/VERSION DETECTION:
-sV Probe open ports to determine service/version info
--version-intensity Set from 0 (light) to 9 (try all probes)
--version-light Limit to most likely probes (intensity 2)
--version-all Try every single probe (intensity 9)
--version-trace Show detailed version scan activity (for debugging)

OS DETECTION:
-O Enable OS detection
--osscan-limit Limit OS detection to promising targets
--osscan-guess Guess OS more aggressively

TIMING AND PERFORMANCE:
Options which take are in milliseconds, unless you append 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T[0-5] Set timing template (higher is faster)
--min-hostgroup/max-hostgroup Parallel host scan group sizes
--min-parallelism/max-parallelism Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout Specifies probe round trip time.
--max-retries Caps number of port scan probe retransmissions
--host-timeout Give up on target after this long
--scan-delay/--max-scan-delay Adjust delay between probes

FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu fragment packets (optionally w/given MTU)
-D decoy1,decoy2[,ME] Cloak a scan with decoys
-S Spoof source address
-e Use specified interface
-g/--source-port Use given port number
--data-length Append random data to sent packets
--ttl Set IP time-to-live field
--spoof-mac Spoof your MAC address
--badsum Send packets with a bogus TCP/UDP checksum

OUTPUT:
-oN/-oX/-oS/-oG Output scan in normal, XML, s|
-oA Output in the three major formats at once
-v Increase verbosity level (use twice for more effect)
-d[level] Set or increase debugging level (Up to 9 is meaningful)
--packet-trace Show all packets sent and received
--iflist Print host interfaces and routes (for debugging)
--log-errors Log errors/warnings to the normal-format output file
--append-output Append to rather than clobber specified output files
--resume Resume an aborted scan
--stylesheet XSL stylesheet to transform XML output to HTML
--webxml Reference stylesheet from Insecure.Org for more portable XML
--no-stylesheet Prevent associating of XSL stylesheet w/XML output

MISC:
-6 Enable IPv6 scanning
-A Enables OS detection and Version detection
--datadir Specify custom Nmap data file location
--send-eth/--send-ip Send using raw ethernet frames or IP packets
--privileged Assume that the user is fully privileged
-V Print version number

Examples
nmap -P0 204.228.150.3
Running the above port scan on the Computer Hope IP address would give information similar to the below example. Keep in mind that with tthe above command it's -P not the letter O.
Interesting ports on www.computerhope.com (204.228.150.3):
Not shown: 1019 filtered ports, 657 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
113/tcp open auth
443/tcp open https
Basic commands working in Nmap
For target specifications :
nmap (target's URL's or IP's with spaces between them) 192.168.0.1; 10.0.0-255.1-254 (The command is nmap scanme.nmap nmap .org and similar)
For OS detection :
nmap -O (target-host's URL or IP)
For Version detection:
nmap -sV (target-host's URL or IP)
For configuring response timings(-T0 to -T5 :increasing in aggressiveness):
nmap -T0 -sV -O (target-host's URL or IP)

Download Nmap (Zenmap GUI) for Windows here

Download Nmap for Linux-32 bit here

Download Nmap for Linux-64 bit here